Thursday, March 20, 2014

Application Information Service - The heart of UAC

In this article/blog we will talk about the Application
Information Service, which is the core of the Windows User Account Control. The center piece of the modern post-visa security framework.

Introduction

When running an application you may come across a scenario
where an application causes a UAC prompt to be presented to the user to get
his/her consent to proceed with the execution of an application with elevated
privileges. The action is first checked for

The Application Information Service (AIS) is at the heart of
the User Account Control prompt. Whenever an application requires an elevated
token it is referred to the AIS. AIS communicates with consent.exe which
decides finds out whether the user gives his consent or not. The control is
passed to the application and the binary code of the application gets control
of the processor, explorer does not read the manifest, explorer just gives the
application control of the processor.

In order to show that the consent prompt is launched by a
service (AIS) and not the explorer.exe, we cause a prompt to be displayed and
as soon as we return to the normal desktop, with process explorer running, we
press the space bar to pause process explorer from updating. In the screenshot below Fig1 we see that svchost.exe calls
consent.exe.

Fig1: Who calls consent.exe ?(Click Image to expand)

The svchost.exe is the one that was launched using the ‘–k netsvcs’
switch as shown in the Fig2. This particular svchost.exe is the particular
instance that hosts the Application Information Services.

Fig2: svchost.exe calls consent.exe(Click Image to expand)

When is the
Application Information Service started?

It runs under netsvcs. The command is given in the SCM panel
when looking up details for the service. It runs with the command ‘C:\WINDOWS\system32\svchost.exe
-k netsvcs’ and uses the ‘appinfo.dll’. If we find the
appinfo.dll in process explorer it is found to be loaded in a svchost.exe (PID
628 in this example). As shown in Fig3
below:

Fig3: Who hosts appinfo.dll (AIS ?) (Click Image to expand)

When we look at the properties of process 628 we see that it
is the svchost.exe that starts with the ‘netsvcs’ parameter, as shown in the Fig4
below:

Fig4: svchost hosts appinfo.dll(Click Image to enlarge)

AIS Facilitates the running of interactive applications with
additional administrative privileges.If
this service is stopped, users will be unable to launch applications with the
additional administrative privileges they may require to perform desired user
tasks.

The shell checks with this service when it launches an
application. AIS is the one that reads the manifest and the ‘trustInfo’ xml section
that has the requirements for the ‘requestedExecutionLevel’, since AIS is a
service it can re-spawn a process with the appropriate execution level. The
child is then re-parented and made the child process of the calling
application. The process is explained in the diagram Fig4 below:

Fig4: The process flow of UAC prompt(Click Image to enlarge)

If the AIS is not running the applications that require an
elevated token would not be able to run with an elevated token.